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FIREWALL FOR GATEWAY NETWORK ELEMENTS BETWEEN 

IP BASED NETWORKS 



BACKGROUND OF THE INVENTION 

5 The present invention relates to firewalls in network elements. More specifically, 

the invention relates to firewalls in gateway network elements between IP (Internet 
Protocol) based networks. 

SONET/SDH ADMs (Add Drop Multiplexers) and MSPPs (Multi Service 
Provisioning Platforms) use SONET/SDH overhead bytes to establish communication 
10 channels between nodes. These communication channels are called DCCs. 

In configuring ADMs and MSPPs, special purpose nodes, referred to as GNEs 
(Gateway Network Elements), act to terminate the DCCs and to forward management 
traffic across a DCN (Data Communications Network) to the NOC (Network Operations 
15 Center). 

The industry specification for SONET/SDH ADMs was originally included in 
GR-253, the contents of which are herein incorporated by reference in their entirety, and 
it prescribed an OSI communication stack for DCCs. Because DCNs traditionally used 
20 IP based communication, the GNE became a natural demarcation between the OSI based 
DCC and the IP based DCN. This demarcation has become well understood and several 
features of the behavior of SONET ADMs and MSSPs have developed as a consequence 
of this OSI/IP separation enforced on the GNEs. 

25 Today, the industry standard G.7712, the contents of which are herein 

incorporated by reference in their entirety, allows IP DCCs as a standard option. Thus, 
the DCN and DCC can both be IP based. 

The problem that has been encountered is that users have come to rely on certain 
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features of the separation between an OSI based DCC and an IP based DCN, but, in a 
system with an IP based DCC, this separation and these features are missing. In a system 

with a GNE between two DP based networks, there is a strong need for the GNE to have 
5 an onboard separation between the networks that mimics the features of the separation 
between the OSI based DCC and the IP based DCN found in legacy systems. 
Additionally, it would be desirable if the GNE implemented this onboard. 
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SUMMARY OF THE IIWENTION 



The present invention provides innovative techniques for implementing a firewall 
in a gateway network element between two IP based networks. In general, packets can 
5 be filtered out that specify the gateway network element as the source, where the packet 
comes from the network that is not visible to the other network. For example, if a packet 
on DCC going to the gateway network element specifies the gateway network element as 
the source, the packet is discarded. This can prevent malicious packets from being 
directed at a network element on the DCN. Some specification embodiments of the 
10 invention are described below. 

In one embodiment, the invention provides a gateway network element that 
provides access to network elements that are not directly reachable. The gateway 
network element comprises a processor that is directed by code. Additionally, the 
gateway network element comprises code that receives and sends packets over a first IP 
15 based interface to the first network; code that receives and sends packets over a second IP 
based interface to the second network, wherein IP addresses of network elements in the 
second network are not visible to network elements in the first network; and code that 
filters out packets received over the second IP based interface that specify the gateway 
network element as the source. 

20 In another embodiment, the invention provides a method for providing access to 

network elements that are not directly reachable. Packets are sent and received over a 
first IP based interface to the first network. Packets are also sent and received over a 
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second IP based interface to the second network, wherein IP addresses of network 
elements in the second network are not visible to network elements in the first network. 
Packets received over the second IP based interface that specify the gateway network 
5 element as the source are filtered out. 

Other features and advantages of the invention will become readily apparent upon 
review of the following description in association with the accompanying drawings, 
where the same or similar structures are designated with the same reference numerals. 
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BRIEF DESCRIPTION OF THE DRAWINGS 



FIG. 1 shows a block diagram of an example network environment where a GNE 
can act as a gateway between two IP based networks. 

FIG. 2 illustrates a block diagram of a network device, computer system or 
subsystems thereof that can utilize embodiments of the invention. 

FIG. 3 shows a flowchart of a process that implements a firewall at the GNE. 

FIG. 4 illustrates a block diagram of an example network environment including a 
NOC that is in communication through a WAN with multiple central office LANs. 
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DETAILED DESCRIPTION OF EMBODIMENTS 



In the description that follows, the present invention will be described in reference 
to embodiments that are used in association with the Cisco Transport Controller (CTC). 
5 CTC is a Java application that is typically run from a laptop PC. However, embodiments 
of the invention are not limited to any particular environment, protocol, application, or 
implementation. For example, although embodiments of the invention will be described 
in association with CTC, the invention can be advantageously applied to other systems 
with similar connectivity. Therefore, the description of the embodiments that follows is 
1 0 for purposes of illustration and not limitation. 

FIG. 1 shows of an example network environment where a GNE can act as a 
gateway to provide access to network elements that are otherwise imreachable. Network 
101 can include any number of network elements including routers, switches, hubs, 
servers, computer systems, and the like. Network 101 uses an IP based interface to 
15 communicate with GNE 103. The IP address of GNE 103 is visible to network 101 and 
therefore packets can be sent directly from network elements in network 101 to GNE 
103. 

ENEs (External Network Elements) 105 are in network 107 with GNE 103. 
ENEs are network elements that are not directly reachable from outside the network. 
20 Thus, network elements in network 101 should not be able to directly access ENEs 105. 
GNE 103 provides access to ENEs 105 so network elements in network 101 go through 
GNE 103 to communicate with ENEs 105. 
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As described above, if an OSI based interface (DCC) is utilized in network 107, 
there is a natural demarcation between the OSI and IP interface networks supporting the 
feature that ENEs are not directly reachable from outside network 107 (e.g., from 
5 network elements in network 101). However, in embodiments of the invention, an IP 
based interface is utilized to communicate between network elements in network 107. 

As network 101 and network 107 both utilize IP based interfaces to communicate, 
the natural demarcation between the networks is not present. However, it is desirable to 
provide many of the features that are available in OSI/IP based heterogeneous networks. 

10 Embodiments of the invention provide a firewall in GNE 103 that, among other 

things, make it so that ENEs 105 are unreachable directly by network elements in 
network 101. The firewall is a software executing entity directed by code that scans 
packets that are received by and are to be sent by GNE 103 to ensure that the packets do 
not violate one or more rules. If a packet violates a rule, the packet is discarded. In other 

15 embodiments, one or more of the packets to be discarded can be saved or forwarded for 
analysis. 

The firewall on GNE 103 examines packets that it receives from ENEs 105 on 
network 107. If a packet specifies as the source address the IP address of the GNE, the 
packet is discarded. Such a packet could be utilized as a one way attack on a network 
20 element on network 101 . It is preferable that the firewall be implemented onboard the 
GNE so that this rule can be more readily enforced. 
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Additionally, the firewall on GNE 103 can adhere to a rule that all packets being 
sent firom GNE 103 to network 101 specify the source address as the GNE. Thus, packets 
are sent to network 101 only when the packets specify the GNE as the source. This 
5 ensures that the IP addresses of ENEs 105 are not provided to network elements in 
network 101. 

The firewall on GNE 103 can also examine packets coming fi-om network 101. A 
rule can be enforced that packets received by GNE 103 firom network 101 must specify 
the GNE as the destination address or be a multicast message. 

10 Now that the general operation of an embodiment of the GNE has been described, 

FIG. 2 shows a block diagram of components that can be present in network devices and 
computer systems that implement embodiments of the invention. A processor 201 
executes code (or instructions) that direct the operation of the processor. Although 
processors typically have memory caches, processor 201 utilizes memory 203, which can 

1 5 store code and data. 

A non-volatile storage 205 can store code and data such that it is typically 
persistent and provides more storage when compared to memory 203. At present, a 
common non-volatile storage is one or more hard drives. A removable storage 207 
provides mobility to code and/or data that are stored thereon. Examples of removable 
20 storage are floppy disks, tape, CD/ROM, flash memory devices, and the like. 

Memory 203, non-volatile storage 205 and removable storage 207 provide 
examples of computer readable storage media that can be utihzed to store and retrieve 
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computer programs incorporating codes that implement the invention, data for use with 
the invention, and the Uke. Additionally, a data signal embodied in a carrier wave (e.g., 
in a network including the Intemet) can be the computer readable storage mediimi. An 
5 input 209 allows a user to interface with the system. Input can be done through the use of 
a keyboard, a mouse, buttons, dials, or any other input mechanism. An output 211 allows 
the system to provide output to the user. Output can be provided through a monitor, 
display screen, LEDs, printer or any other output mechanism. Input and/or output can 
also be performed extemally through a network interface 213. 

10 Network interface 213 allows the system to interface with a network to which it is 

connected. The components shown in FIG. 2 can be found in many network devices and 
computer systems. However, components can be added, deleted and combined so FIG. 2 
is for illustration purposes. Additionally, these components can also be present on 
subsystems (e.g., cards) in network devices and computer systems. 

15 FIG. 3 shows a flowchart of a process that implements a firewall at the GNE 

according to the invention. The steps shown in FIG. 3 are for illustrative purposes and 
steps can be added, deleted, combined, or reordered without departing fi-om the spirit and 
scope of the invention. 

At a step 301, a packet is examined. The packet can be a packet that the GNE has 
20 received fi"om either network or it can be a packet that the GNE is going to send (or 

forward). A category for the packet is identified for the packet at a step 303. In order to 
organize the rules for the firewall, the packets can be categorized with associated rules. 
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For example, a category can be packets that are received from the network including the 
ENEs (e.g., network 107 in FIG. 1) and another category can be packets that are received 
from the network not including the ENEs (e.g., network 101 in FIG. 1). 

5 Additionally, packets that designate the GNE as the destination can be a separate 

category, which can further be divided in to categories based on from which network the 
packet was received. Exemplary categories and rules for one embodiment will be 
described in more detail in reference to FIG. 4. 

At a step 305, the rules are checked for the category for the packet. If the packet 
10 is found to violate a rule at a step 307, the packet can be discarded (or not accepted) at a 
step 309, Information regarding the discarded the packet can be stored or sent to a 
network device for analysis. Otherwise, the packet is allowed to be sent (or accepted) at 
a step 311. 

Now that a general description has been provided, it may be beneficial to describe 
15 a more specific embodiment. FIG. 4 shows a block diagram of an example network 
environment including a Network Operations Center (NOC) that is in communication 
through a WAN with multiple central office LANs. 

A NOC CTC station 401 is connected to multiple central offices through a 
COWAN (Central Office Wide Area Network or WAN). The connection of NOC CTC 
20 station 401 to the COWAN is via a router 403 that may use Network Address Translation 
(NAT). Router 403 prevents unauthorized inbound connections from the COWAN and 
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the central office LANs. However, router 403 does allow connections from the NOC into 
the COWAN. 

At each central office there is a LAN, which interconnects GNEs. Each GNE is 
5 the access point to a ring of other NE's that are outside of the central office. As 

discussed above, ENEs are NEs are not reachable from outside the network (e.g., the NEs 
can be outside of the central office itself). 

As shown, a GNE 405 acts as the gateway to ENEs 407. Field technicians that 
connect directly to the ENEs in the field are only allowed access to the NEs in that ring, 
10 and are not permitted to access other NE's on other rings in the central office, nor are 
they allowed to access any systems on or behind the COWAN. 

Field technicians can connect to ENEs using laptop 409, such as a WINDOWS 
laptop with a static IP addresses. Field technicians typically do not have system 
administrator privileges that allow them to change network settings. 

15 GNE 405 has two different IP interfaces, which can be called the Ethernet 

interface for traffic from router 403 and the DCC IP interface for traffic from ENEs 407. 
GNE 405 can act as a firewall that isolates the DCC IP traffic from Ethemet traffic. 
When the firewall is enabled, the GNE accepts a limited set of packets. The filtering 
rules depend on the interface at which the packet arrives, which define different 

20 categories. Packets arriving on the ethemet interface are accepted only if their 
destination address is as follows: 

1. the GNE itself 
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2. the GNE's subnet broadcast address 

3. within the 224.0.0.0/8 network (this is a reserved network that is used for 
standard multicast messages) 

5 Packets arriving on the DCC interface are accepted only if their destination 

address is as follows: 

1. the GNE itself 

2. an OSPF peer (another NE in the DCC mesh) 

3. within the 224.0.0.0/8 network (this is a reserved network that is used for 
1 0 standard multicast messages) 

If the packet is addressed to GNE 405 itself, this can create another category and 
additional rules are applied. Packets arriving on the Ethemet interface are tested as 
follows: 

1. UDP packets addressed to the SNMP trap relay port (391) are rejected 
15 2. All other packets are accepted 

Packets arriving on the DCC interface are tested as follows: 

1. UDP packets addressed to the SNTP port are accepted 

2. UDP packets addressed to the DHCP port are accepted 
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3. UDP packets are otherwise accepted 

4. TCP packets addressed to the telnet port are rejected 

5. TCP packets addressed to the 10 card telnet ports are rejected 

6. TCP packets addressed to the proxy server port are rejected 

7. TCP packets are otherwise accepted 

8. OSPF packets are accepted 

9. ICMP packets are accepted 

10. All other packets are rejected 

As discussed above, packets that are rejected can be silently discarded. The 
preceding have been exemplary categories and rules for one embodiment of the firewall. 
Other embodiments can utilize other categories and rules so the invention is not limited to 
the specific embodiments described herein. 

Li some embodiments, a "proxy server" task runs on the GNE. The proxy server 
provides functionality similar to, and for the same reason as, a SOCKS proxy server. 
More information about the SOCKS Protocol can be found in SOCKS Protocol Version 5 
IETF RFC 1928, which is hereby incorporated by reference. The proxy server tunnels 
connections between a client (e.g., a CTC workstation) and a target (e.g., a DCC- 
connected NE). 
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The proxy server thus can act as a bridge between any two endpoints that might 
not otherwise be able to communicate. Each endpoint should be able to communicate 
with the proxy server. The proxy server on the GNE provides forwarding from DCN IP 
5 addresses to DCC IP addresses 

While the above is a complete description of preferred embodiments of the 
invention, various alternatives, modifications, and equivalents can be used. It should be 
evident that the invention is equally applicable by making appropriate modifications to 
the embodiments described above. For example, although the invention has been 
10 described in relation to specific embodiments, the invention can be advantageously 

applied to other embodiments. Therefore, the above description should not be taken as 
hmiting the scope of the invention as defined by the metes and bounds of the appended 
claims along with their fiiU scope of equivalents 
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